02-12-2021 03:46 AM
This question is specific to Anyconnect on FTD configured via FMC.
Does anyone know, is it possible to restrict the client OS type to say Windows for a given connection profile ?
I've gone through all the configuration options & I don't see anything that would relate to this. I know there is a capability to do this through GroupPolicy on an ASA, but the FTD seems to have a reduced set of Anyconnect configurability options.
Thanks
Chris.
02-12-2021 03:49 AM - edited 02-12-2021 03:52 AM
to best of my knowledge you can leverage this using the ISE posture. Or you can use the FlexConfig in FMC.
02-12-2021 03:55 AM
Thanks Salim, Unfortunately we don't have ISE. Currently running 3FA = Cert, AAA + 2fa, but I want to restrict the connections to ONLY be Anyconnect from Windows devices, preferably for one Profile, but would settle for all if it was an option.
I guess I may be out of luck.
02-12-2021 03:57 AM
Just looking now into some cisco documenation
Currently unsupported on FTD, but available on ASA:
)
02-12-2021 04:08 AM
Many thanks for the quick turn around, much appreciated.
Do you know anything about auto client cert selection not working with Anyconnect to an ASA ? Work fine in Manual select.
02-12-2021 04:18 AM
I recently installed Anyconnect client V4.9 on my Win10 laptop to connect to an ASA running 9.12.3.12 .
- was this working before with previous version of ASA and other version of anyconnect?
For perspective, this is a preparation job, so the ASA external Cert is valid, but does NOT currently match its IP/FQDN due to that being used on another gateway we are replacing.
-have you not created or binded it to this ASA. ssl trust-point CERT-NAME Outside
If I configure 2FA, everything works as expected. But when I try 3FA using a client side certificate it will only work if I select cert store override in the profile & set cert selection to user control. If I try to use automatic selection, it comes back with Certificate Validation Failure.
- does the client have a cert in its windows cert store. cert mmc or certmgr.msc
The ASA has the correct CA & Intermediate Certs. It works fine if I manually select the Cert from the popup that appears as part of connection/login. So I know the correct cert is installed & matching CA certs on the ASA. But I can't seem to get auto cert selection working.
-what are you tunnel-group policies?
02-12-2021 06:49 AM
Thanks Salim, as per below;-
- was this working before with previous version of ASA and other version of anyconnect?
Was never tried with older versions, this is a new temporary solution at existing site whilst client moves their Palo Global protect solution to a new site. Thus Tier2 ASA's will become temporary Teir1/2 FW's.
-have you not created or binded it to this ASA. ssl trust-point CERT-NAME Outside
Yes bonded & working.
- does the client have a cert in its windows cert store. cert mmc or certmgr.msc
Yes, works fine to our FTD site, just these new ASA connections won't auto select the correct cert.
-what are you tunnel-group policies?
I have tried changing the connection profiles to no avail. Both created via the ASDM wizard & manually adjusted. Including adding a Certificate section but still auto fails, but manual selection works fine.
Regards
Chris
02-12-2021 04:16 AM
@ida71 FTD requires the anyconnect package uploaded in order for clients to connect, so if you only uploaded the windows package then linux or MacOS would be unable to connect. That would be for all connection profiles though.
What AAA are you using? If using RADIUS, the anyconnect package version/os is included in the RADIUS package, so you could potentially (not tried it) limit access that way.
02-12-2021 06:52 AM
Thanks Rob, I thought the package was just for updates/download like on the ASA, if you have predeployed Anyconnect surely it would still work !?
I'll have a look at the Radius auth to see if that will work.
Regards
Chris.
02-12-2021 06:56 AM
Yes, it does updates....but you need a package for each OS (win, linux and MacOS) uploaded to the headend (FTD or ASA) in order for that OS to establish a VPN tunnel.
02-12-2021 07:09 AM - edited 02-12-2021 07:11 AM
yes just to mentioned we have seen this since we all started working from home due to COVID. Lets say you running anyconnect 4.7 and so your client running 4.7. you upgrade the anyconnect headend on your firewall to 4.9. now we noted some of the client were able to get the upgrade automatically when they connect to anyconnect url. but other client were having issue therefore we have to change the anyconnect order onthe FTD priroty 1 as 4.7 and prority 2 as 4.9 to get this issue fixed.
the other side is use SCCM to push the software.
02-12-2021 04:13 AM
You have not mentioned what FMC/FTD software you on. I just had a good look on this documentation here they mentioned about the attributes which can be reflect with ISE or Radius Server.
02-12-2021 06:58 AM
Apologies, versions are FMC 6.4.0.9-62 & FTD 6.4.010-2
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: